Bug 261738

Summary: HTTP Basic Auth in URL not used
Product: WebKit Reporter: Janik Besendorf <janik>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: REOPENED ---    
Severity: Normal CC: annevk, ap, beidson, janik, karlcow, webkit-bug-importer, youennf
Priority: P2 Keywords: BrowserCompat, InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Janik Besendorf 2023-09-19 06:36:29 PDT 
When navigation to a URL that includes HTTP Basic Auth login information in the format like USER:PASSWORD@example.com the part before the @ is ignored and a popup that asks for a username and a password is displayed
Comment 1 Alexey Proskuryakov 2023-09-20 17:08:29 PDT 
I think that this may be intentional, but cannot remember the details. Adding some people who may know.
Comment 2 Anne van Kesteren 2023-09-21 03:03:15 PDT 
Yeah, this would make it very easy to perform dictionary attacks or phish the end user in some way.

Various groups, including the HTTP WG, have been deprecating this format for HTTP URLs.
Comment 3 Janik Besendorf 2023-09-21 05:12:24 PDT 
Firefox and Chrome support this feature on mobile and Desktop. I don't see how this could be used for phishing. Could you elaborate on this? Could you send a link to the HTTP WG statement?
Comment 4 Anne van Kesteren 2023-09-21 07:25:20 PDT 
Thanks, I guess we should keep this open for now then. The phishing aspect for these URLs is mainly that you could put something before the `@` that might confuse the end user about where they are going.

It's deprecated for all URLs apparently: https://www.rfc-editor.org/rfc/rfc3986.html#section-3.2.1. https://url.spec.whatwg.org agrees with this though states it in a less obvious manner.
Comment 5 Radar WebKit Bug Importer 2023-09-26 06:37:11 PDT 
<rdar://problem/116052283>